OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: Droppie391 on January 11, 2017, 09:55:50 am

Title: access to internal host ipv6 result in destionation unreachable
Post by: Droppie391 on January 11, 2017, 09:55:50 am

Situation:

dual-stack pppoe link to ISP with local link addresses
outgoing Ipv4 and Ipv6 work without a problem (floating rule Ipv6-ICMP on LAN and WAN)
incoming Ipv4 also no problem (NATted hosts are reachable)

rule to allow incoming Ipv6 http on WAN to a host called „2001:Target“
rule to alow ALL Ipv6 on LAN („2001:LAN“)

incoming request reaches „2001:Target“ but the answer back to host „2a01:Requestor“ result in a  destination unreachable message: (2001:LAN is the LAN Address of the OPNsense box)

IP6 "2a01:Requestor".65170 > „2001:Target“.80: tcp 0
IP6 „2001:LAN“ > „2001:Target“: ICMP6, neighbor solicitation, who has „2001:Target“, length 32
IP6 „2001:Target“ > ff02::1:ff00:11: ICMP6, neighbor solicitation, who has „2001:LAN“, length 32
IP6 „2001:Target“ > „2001:LAN“: ICMP6, neighbor advertisement, tgt is „2001:Target“, length 32
IP6 „2001:Target“.80 > "2a01:Requestor".65170: tcp 0
IP6 „2001:LAN“ > „2001:Target“: ICMP6, destination unreachable, unreachable address "2a01:Requestor", length 84

We suspect that there is a problem with the default routing as we do NOT see one for Ipv6 under System – Route – Status

on the console, there IS a default route:

Internet6:
Destination        Gateway            Flags      Netif Expire
default               fe80::211:bcff:feb9:4c08%pppoe0 UGS      pppoe0

Title: Re: access to internal host ipv6 result in destionation unreachable
Post by: mbosner on January 11, 2017, 11:01:45 pm

Hello Droppie,

may i ask for your providers name?

Cheers

Title: Re: access to internal host ipv6 result in destionation unreachable
Post by: Droppie391 on January 12, 2017, 10:39:55 am

Hi, our ISP is Titan-Networks in Germany. They provide dual-stack access with static v6 (no dhcpv6)

Title: Re: access to internal host ipv6 result in destionation unreachable
Post by: mbosner on January 12, 2017, 08:04:52 pm

Interesting. Your default gw is a locallink address and that seems to be the reason why opnsense ipv6 does not work for me since the "track interface" option is looking for a public ip. But that might be wrong guessing.

Title: Re: access to internal host ipv6 result in destionation unreachable
Post by: bartjsmit on January 12, 2017, 09:00:33 pm

Can you ping 2001:Target from OPNsense? Are they both in the same /64?

Bart...

Title: Re: access to internal host ipv6 result in destionation unreachable
Post by: Droppie391 on January 13, 2017, 08:39:49 am

There is absolutely no problem in the internal network. all hosts can communicate with eachother AND wit ANY host outside. The problem is with hosts that we want to be reachable from the outside. Packets are getting through to the destination and are being answered by them. The problem ist, that the OPNsense router does not know what the way back to the external requestor is.

To clear things, we are NOT getting a global IPv6 address from the ISP. We have set the IPv6 settings on our WAN interface to DHCPv6 (SLAAC seems to work as well, but as the Dashboard will NOT display an IPv6 address in that case, we decide to go for DHCPv6), flag "Only request an IPv6 prefix and leave all other options off. Our ISP gave us a 48 prefix so we also set that.
On the LAN side, we use static 64 prefixes derived from the 48 prefix assigned by our ISP and Unmanaged advertisements set under Services-DHCPv6. You could as well use managed but we have no need for that.